Fabre

#1134620 mitmproxy: CVE-2026-40606 #1134620

Package:: src:mitmproxy

Source:: src:mitmproxy

Submitter:: Moritz Mühlenhoff

Date:: 2026-04-22 20:07:04 UTC

Severity:: normal

Tags:

#1134620#5

Date:: 2026-04-22 10:39:47 UTC

From:

To:

Hi,

The following vulnerability was published for mitmproxy.

CVE-2026-40606[0]:
| mitmproxy is a interactive TLS-capable intercepting HTTP proxy for
| penetration testers and software developers and mitmweb is a web-
| based interface for mitmproxy. In mitmproxy 12.2.1 and below, the
| builtin LDAP proxy authentication does not correctly sanitize the
| username when querying the LDAP server. This allows a malicious
| client to bypass authentication. Only mitmproxy instances using the
| proxyauth option with LDAP are affected. This option is not enabled
| by default. The vulnerability has been fixed in mitmproxy 12.2.2 and
| above.

https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-527g-3w9m-29hv
https://github.com/mitmproxy/mitmproxy/commit/71c9234057922bc29b9734ec408d712113d294d2 (v12.2.2)


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-40606
https://www.cve.org/CVERecord?id=CVE-2026-40606

Please adjust the affected versions in the BTS as needed.

#1134620 mitmproxy: CVE-2026-40606 #1134620

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)